Extracted

• • Target

    https://cdn.discordapp.com/attachments/1267926892216975464/1268066220922376246/krnl.zip?ex=66c22472&is=66c0d2f2&hm=48331772d64fdc6665c0c89a70c6b0ade5a8d57a8fa4061fac33ad2b472be6ef&

  Score

  10^/10

  xwormcredential_accessdiscoveryevasionexecutionpyinstallerratspywarestealertrojanupx

  • Detect Xworm Payload

  • Modifies visibility of file extensions in Explorer

    evasion

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks for any installed AV software in registry

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1